How Dating Apps Are Used in Cryptocurrency Scams

André Carneiro is senior managing director of Sophos in Brazil.

Recently, digital scammers have returned to using an attack method called CryptoRom, which combines romantic app scams with cryptocurrency trading scams. These attacks trick victims into installing fake cryptocurrency apps on iPhone and Android through social engineering. Initially, cases were detected in users in Asia at the end of 2021 and are now returning in a more sophisticated form and globally.

Victims are first contacted via dating apps like Tinder or social networks like Facebook and Instagram. Conversations are then transferred to messaging apps like Telegram – this initial contact serves as a form of rapprochement between the attacker and the victim. After this initial stage, the conversation is diverted to investment topics, at which point fake cryptocurrency trading apps are installed via virtual stores on the mobile phones of victims who have the illusion and trust that this virtual contact is trustworthy.

Attackers then offer fast returns, initially requesting a small financial transfer via a legitimate cryptocurrency purchase (e.g. using Binance), and then the cryptocurrency is transferred to the fake trading app. This fraudulent tool makes quick and tempting profits to convince applicants that a “virtual goldmine” has been discovered – in some cases, criminals even allow some money to be withdrawn to give the attack more credibility. . This easy gain causes victims to invest more resources in seeking attractive profits with no relation to the real market, which can result in millionaire losses.

Sophos, the world leader in cybersecurity innovation and delivery as a service, a service I lead in Brazil, has identified the first rogue apps like Ace Pro and MBM_BitScan that can bypass Apple’s strict security protocols without needing to convince victims. downloading fake apps that are not authorized by the platform, thus giving more credibility to the attack. Apple and Google were notified, and both have since removed the hidden apps from their stores.

It is important for users to understand that there are no free lunches and they should be suspicious of any suspicious activity.

In general, it is difficult to push malware through the security processes of the Apple App Store. When Sophos started investigating CryptoRom scams targeting iOS users, hackers needed to convince people to first install a configuration profile and then download the fake app. This includes an additional level of social engineering that is difficult to overcome. Most potential victims were “warned” that something went wrong because they were unable to download a supposedly legitimate app directly from the store, but scammers, especially like most users, have increased their pool of potential victims by breaking into the App Store. Trust Apple.

Such apps were also unaffected by iOS’ new Lockdown Mode, which was supposed to prevent attackers from loading mobile profiles for social engineering. In fact, these CryptoRom criminals are changing their tactics, i.e. Lockdown’s security features focus on bypassing the App Store review process, given the way the platform is locked down.

Ace Pro is described as a QR code scanner in the app store, but is actually a fake cryptocurrency investment platform. Once opened, users will see a default trading interface where they can deposit and withdraw funds, but any deposited money goes directly to the scammers. Sophos discovered that to compromise the App Store, the attackers had linked the app to a remote website with legitimate functionality when it was originally submitted for review; However, once confirmed, the hackers redirected him to a domain registered in Asia, which ultimately sent him a request for matching content from another host, leading him to the scam page?

Just like Ace Pro, MBM_BitScan is an Android app known as BitScan on Google Play. The two apps communicate with the same Command and Control (C2) infrastructure, which interacts with a server similar to a legitimate Japanese cryptocurrency company. The rest of the fraudulent content is rendered in a web interface, making it difficult for the platform’s code reviewers to detect it that way.

It is important for users to understand that there is no such thing as free lunches and that they should be wary of dubious and get-rich-quick transactions. You can’t trust virtual connections with someone you don’t know personally, because romantic illusion is a social engineering technique that offers several alternatives for scammers to attract more and more new victims.